Data Privacy, Ethics and Protection Principles
The Guidance Note on Data Privacy, Ethics and Protection sets out general guidance on data privacy, data protection and data ethics for the United Nations Development Group (UNDG) concerning the use of big data, collected in real time by private sector entities as part of their business offerings, and shared with UNDG members for the purposes of strengthening operational implementation of their programmes to support the achievement of the 2030 Agenda.
The Guidance Note is designed to:
- Establish common principles across UNDG to support the operational use of big data for achievement of the Sustainable Development Goals (SDGs);
- Serve as a risk-management tool taking into account fundamental human rights; and
- Set principles for obtaining, retention, use and quality control for data from the private sector.
Recommendations
- The Guidance Note is not a legal document. It provides only a minimum basis for self-regulation, and therefore may be expanded and elaborated on by the implementing organizations.
- It is recommended that the Principles described in the Guidance Note be implemented through more detailed operational guidelines that account for the implementation of UNDG member organizations’ mandates as well as their existing regulations, rules and policies concerning data privacy, data protection, data ethics and data security.
- It is recommended that designated legal, ethics, privacy and security experts be consulted, when necessary, regarding the implementation of, and compliance with, this Note.
- Implementing organizations are encouraged to establish a monitoring mechanism for compliance and implementation of this Note.
Our Data Privacy & Data Protection Principles
Purpose of use
We access, analyse or otherwise use data for the purposes consistent with the United Nations mandate and in furtherance of the Sustainable Development Goals
Right to use
We access, analyze or otherwise use data that has been obtained by lawful and fair means, including, where appropriate, with the knowledge or consent of the individual whose data is used
Purpose compatibility
We ensure to the extent possible, that all of the data we use for project purposes is adequate, relevant, and not excessive in relation to the legitimate and fair purposes for which the data was obtained
Individual privacy
We do not access, analyse or otherwise use the content of private communications without the knowledge or proper consent of the individual
We do not knowingly or purposefully access, analyse, or otherwise use personal data, which was shared by an individual with a reasonable expectation of privacy without the knowledge or consent of the individual
We do not attempt to knowingly and purposefully re-identify de-identified data, and we make all reasonable efforts to prevent any unlawful and unjustified re-identification
Data security
We ensure reasonable and appropriate technical and organisational safeguards are in place to prevent unauthorised disclosure or breach of data
Risk and harm assessment and risk mitigation
We perform a risk assessment and implement appropriate mitigation processes before any new or substantially changed project is undertaken
We take into consideration the impact that data use can have not only on individuals but also on groups of individuals
We ensure that the risks and harms are not excessive in relation to the positive impact of the project
Data sensitivity
We employ stricter standards of care while conducting research among vulnerable populations and persons at risk, children and young people, and any other sensitive data
Data minimisation
We ensure the data use is limited to the minimum necessary
Data retention
We ensure that the data used for a project is being stored only for the necessary duration and that any retention of it is justified
Data quality and accountability
We design, carry out, report and document our activities with adequate accuracy and openness
Our collaborators
We require that our collaborators are acting in compliance with relevant law, data privacy and data protection standards and the United Nations’ global mandate.